UK FCA fines Equifax £11.16m for massive cybersecurity breach in 2017
The 2017 breach affected approximately 13.8 million UK consumers. Equifax found out about the breach six weeks after its parent company did, learning about the incident just minutes before it went public in the US.
The UK Financial Conduct Authority (FCA) has slapped Equifax Ltd with an £11.16 million fine for its role in one of the largest cybersecurity breaches ever recorded.
The FCA cited the company’s failure to manage and secure the data of UK consumers, which had been outsourced to its US-based parent company, Equifax Inc.
2017 breach affected approximately 13.8 million UK consumers
The 2017 breach affected approximately 13.8 million UK consumers. Hackers gained unauthorized access to a range of personal data, including names, dates of birth, phone numbers, and even partially exposed credit card details. The incident opened up UK consumers to significant risks, including potential identity theft and other financial crimes.
Equifax did not consider its data handling relationship with its American parent company as “outsourcing,” failing therefore to exercise proper oversight. Known vulnerabilities in Equifax Inc’s security systems went unaddressed by Equifax Ltd, further jeopardizing the safety of UK consumer data.
Moreover, Equifax found out about the breach six weeks after its parent company did, learning about the incident just minutes before it went public in the US. This led to significant delays in addressing customer complaints and notifying UK consumers.
Post-breach, Equifax was found to have released public statements that understated the scale of the impact on UK consumers. Furthermore, the company failed to implement quality assurance checks on customer complaints, leading to mishandling and exacerbating consumer distress.
“Financial firms hold data on customers that is highly attractive to criminals”
Therese Chambers, Joint Executive Director of Enforcement and Market Oversight at the FCA, stated, “Financial firms hold data on customers that is highly attractive to criminals. They have a duty to keep it safe and Equifax failed to do so.”
Jessica Rusu, FCA Chief Data, Information, and Intelligence Officer, emphasized the increasing importance of cybersecurity and data protection in financial services. “Firms not only have a technical responsibility to ensure resiliency but also an ethical responsibility in the processing of consumer information,” she said.
Heightened Standards in Data Protection
The FCA mandates that regulated financial firms maintain effective cybersecurity measures and remain responsible for outsourced data. In the wake of breaches, firms are required to promptly notify affected individuals and implement fair complaints handling procedures.
The Equifax case serves as a cautionary tale to other financial institutions, driving home the importance of stringent data protection measures in a digital age increasingly vulnerable to sophisticated cyber threats.